a policy driven approach to software defined networking by amir sharif at suse openstack partner...

Copyright 2013 Alcatel-Lucent. All rights reserved.@amir_sharif

Amir SharifBusiness DevelopmentNuage Networks

A Policy Driven Approach to Software Defined Networking

SDN in 2014

OpenFlow Controllers

Network Virtualization

White Box Switching

Open Source Projects

Network as a Service

Plenty of Innovation and Disruption…

Why SDN?

Reduce Cost

Asset Utilization

Self Service

Automation

Make the network more “Cloud” like

We’re making great progress

The “Consumption shift”

Cloud is changing the way technology is being consumed

From “order and wait”

To “instant gratification”

Consumer expectations are shifting

Multiple personas

Single user

On-demand personalized catalogue

Compute is Virtualized

Available in Minutes

Network is Partially Virtualized

Configuration takes Days/Weeks

NetworkConfiguration

Compute Management

New Tenant / Application Request

Auto-instantiation

Compute Request

completed in

Minutes

Help Desk

Change Control

IP

Address

VLAN

Address

Firewall

Configuration

LAN (VLAN)

Configuration

WAN (IP)

Configuration

Security / QA

Team

Project

Coordinator

Network Change

completed in

days/Weeks

00:01

Datacenter Network

Service velocity is hindered by manual network process

Network is “more” virtualized

Some things available in minutes – Some not so much

Many network elements are manually configured

Manual per-tenant network configurations

NetworkConfiguration

Compute Management

New Tenant / Application Request

Auto-instantiation

Compute Request

completed in

Minutes

SDN Controller

Some Network

Change completed

In Minutes

00:01 00:01

Software Defined Datacenter Network

Service velocity accelerated, but…

Committees still build “networks”

Audits/reviews

In a NaaS environment (OpenStackNeutron, AWS, etc) this is delegated to the tenant

Is this what your DevOps team should be doing?

NetworkConfiguration

Software Defined Network Configuration

We’ve only addressed part of the automation problem

DevOps Team

VLAN

Address

IP

Address

WAN (IP)

Configuration

Firewall

Configuration

Network

Configuration

created in days/Weeks

Current Neutron Networking provides building blocks to create logical topologies Networks, Ports, Subnets ,Routers, Security Groups

neutron net-create web

neutron subnet-create web 10.0.0.0/24

neutron router-create router1 neutron router-add-interface router1 web

…

Not abstracted into a consumable model

OpenStack Neutron Networks

web

VM VM VM VM VM VM

app db

Puts the burden of topology design on the DevOps team

DevOps has an understanding of the specific application needs Segmentation, Port numbers, Connectivity goals

Should not be burdened with the implementation details Routes, Subnets, VLANs

The DevOps team needs an Abstracted view

A DevOps View

web

VM

VM

VM

app

VM

VM

VM

db

VM

VM

VM

What is a network Policy?

OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

• An Application-centric approach to networking• Moving away from traditional network constructs

• ports, subnets, routers, etc• Aiming for a highly abstracted interface for application developers to

• express desired connectivity of application components• and express high-level policies governing that connectivity

• Without imposing constraints on the underlying implementation

Policy Abstractions for Neutron

OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

Outside EPG

Web EPG App EPG DB EPG

VM

VM

VM

VM

VM

VM

VM

VM

Web Contract

App Contract

App Contract

Public Network

Private Networks

• Endpoint (EP) – an IP addressable entity• Endpoint Group (EPG) – a grouping of Endpoints• Policy Rule – individual rule that defines communication criteria• Contract – a collection of Policy Rules that are applied to traffic between EPG’s

APPLICATIONATTRIBUTES

SDN FRAMEWORK

TOPOLOGYATTRIBUTES

Service Mapping

Service Binding

Application Request

TECHNOLOGYATTRIBUTES

web

V

M

V

M

V

M

app

VM

VM

V

M

web

V

M

VM

VM

web app db

To Achieve a Policy Driven Network

Policy Driven Networking Delivered

Nuage has provided policy abstractions for virtual and physical networks since our first release

L2, L3, ACLs, QoS, Service Chaining, Traffic Statistics

Difficult to express using existing Neutron constructs…

Which is why we’re contributing to Group Based Policy Cleanly express application policy in Neutron

Cloud Service Management Plane

Datacenter Control Plane

DatacenterData Plane

VirtualRouting & Switching

R3.0 GA in September 2014

VirtualizedServicesDirectory

VirtualizedServicesController

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

Brooklyn Datacenter - Zone 1

Virtualized Services Directory (VSD)• Network Policy Engine – abstracts complexity• Service templates and analytics

Virtualized Services Controller (VSC)• SDN Controller, programs the network• Rich routing feature set

Virtual Routing & Switching (VRS)• Distributed switch / router – L2-4 rules• Integration of bare metal assets

Nuage NetworksVirtualized Services Platform (VSP)

IP Fabric

Edge Router

MP-BGPMP-BGP

Hardware GW for Bare Metal

Nuage Networks Virtual Services Platform

DATACENTERNETWORK

. . . .

Any Compute Virtualization Environment

Any Datacenter Networking Hardware

Any Server or Hypervisor

Open solution

Consistent capabilities across

Nuage Networks policy templates and role-based workflow

Compute Management

Tenant / Application RequestNetworking

Security/

Compliance

Service velocity is not hindered by manual network process

Auto-instantiation

Compute Request

completed in Minutes

00:01

IP address

WAN interconnect

Policy / Security Zones

L2 /L3 Service AD

Service chaining

Templates

Nuage Networks VSP

Policy Instantiation• IP address 10.x.y.z• VLAN configuration• WAN configuration• Security / FW settings• QoS parameters• …

Network Change

Completed automatically

00:01

Conclusions

• Creation of distributed virtual switches and virtual routers - great for virtual networks and better than VLAN’s, but …

• Creates a distributed virtual configuration and management challenge

• Provisioning and management of these endpoints can not be done with traditional methodology

• Policy abstraction is a proven framework

• Successfully shipping since May 2013

For more information…

• Nuage Networks Virtualized Services Platform

• http://www.nuagenetworks.net

• OpenStack Neutron Group Based Policy Abstraction

• https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

• OpenDaylight Application Policy Plugin

• https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin

2111/10/2014

Network Policy NOW

@nuagenetworks

@amir_sharif